• 
• 
• 
• 
• 
• 
• 

 1 of 7

Gallery

Active Directory Workshop

Posted on 5 Jun 2002 at 14:59

Populating the Directory

For this workshop, we created a domain called pcpro.local and set up three OU (Organisational Unit) container objects to logically group our users and manage their rights. One of these we called 'admin' (admin.pcpro.local) for users allowed to administer parts of the directory. We then created a sales.pcpro.local OU for - you guessed it - sales staff, and editorial.pcpro.local for editorial users.

Creating the OU containers was straightforward and just a matter of either clicking the new OU icon on the console toolbar, or selecting 'New...Organisational Unit' from the right mouse menu. Likewise, it was easy then to add new users within each OU. Existing accounts were simply dragged from the default Users container, while new accounts were defined directly in much the same way as on an ordinary NT domain network.

User groups are created in a similar manner, with the option of creating groups specific to the local domain, or with more global rights across the domain tree. You can also delegate the right to manage particular OUs to either individual users or, a group of users, simply by selecting the OU concerned and choosing 'Delegate Control...' from the right mouse menu. Another Wizard then steps you through the process of choosing the users or groups to which control will be given, followed by the rights to be delegated.

It's also easy to define shared file objects from the MMC snap-in, although the shares themselves need to be created first using the usual Windows tools. Shared printers can also have directory entries created for them, with the added advantage that the directory entries will be created automatically by the Add Printer Wizard in Windows 2000.

On our domain server, we created a number of shared folders and printer shares, both on the domain controller server and others. We then started the AD Users and Computers snap-in and added directory entries to point to all these resources. By putting them in particular OU containers, we were able to reflect the logical rather than physical structure of our network.

This may seem a bit unnecessary, as it's possible to use the shares whether directory entries have been set up for them or not. However, there are advantages to the directory pointers, albeit only for users of Windows 2000 and XP systems, as those with earlier versions of Windows can't make use of AD directly.

One big plus is that Windows 2000 and XP users are able to locate resources through the directory quicker and more easily than by browsing using NetBIOS. This is especially important where users are physically distant from the servers and printers concerned. Instead of having to traverse slow WAN links to find resources, all that's needed is a quick local directory search. Added to this, it's possible to search for printers and shares based on the various attributes assigned to them in the directory.

For instance, if you needed to print a particularly complex document, you could search for printers with lots of memory, list colour printers for presentation slides, the fastest printers and so on.

What the user sees

Despite some big differences in the underlying technology when AD is deployed, not much actually changes at the user end of the equation. When logging on to our AD domain using a Windows 2000 Professional PC, we're presented with the same logon screen as for an NT domain. We can also continue to browse the network as normal, to locate shares and printers - just as on any NT or peer-to-peer Windows network.